At the end of 2018, Google announced its Titan M dedicated security chip that is currently installed on Google Pixel 3 and Pixel 4 devices. The chip was designed to process sensitive data and processes, include Verified Boot,
Now Google announced that it will pay up to $1 million
The bug hunters can receive up to $1.5 million for reporting exploit chain working against a preview version of the Android OS.
The decision of Google to increase bug bounty payouts is the response of the tech giant to bug bounty programs operated by zero-day brokers like Zerodium that are offering greater rewards for similar issues. In September, Zerodium has updated the price list for both Android and
A zero-click exploit chain for Android would be rewarded with up to $2.5 million, while an exploit chain for iOS only $2 million.
“Android security is improving with every new release of the OS thanks to the security teams of Google and Samsung, so it became very hard and time consuming to develop full chains of exploits for Android and it’s even harder to develop zero click exploits not requiring any user interaction,” explained Zerodium’s CEO Chaouki Bekrar.
“We will reward extra for a full exploit chain (typically multiple vulnerabilities chained together) that demonstrates arbitrary code execution, data
Below the maximum exploit rewards for each type of exploit:
|Pixel Titan M||Up to $1,000,000|
|Secure Element||Up to $250,000|
|Trusted Execution Environment||Up to $250,000|
|Kernel||Up to $250,000|
|Privileged Process||Up to $100,000|
The maximum reward for data of high-value data secured by Pixel Titan M is $500,000 while the maximum reward for Lockscreen bypass is up to $100,000.
Additional info is available on Android Security Rewards Program Rules page.
(SecurityAffairs – Titan M, Android)